Vo lu me One / I s sue T h ree
The latest ideas on digital security to helpyou safeguard what’s most important to you
Cyber Security Journal
KEEPING NETWORKS ACCESSIBLE AND SECURE How companies can leverage the right tools and privileges to protect their critical systems.
HOW TO REDUCE THIRD-PARTY CYBER SECURITY RISK Outsiders have more access to the enterprise than ever before, but are they as secure as you are?
WAYS TO PROTECT YOUR MOST VALUABLE DATA Enterprises create more data every year : How can governance keep up with the volume?
Vo lu me One / I s sue T h ree
Letter
3 From Craig Froelich, Chief Information Security Officer
ContentsCyber Secur it y Journa l • Vo l . One / Issue Three
Features
Neither Bank of America nor its affiliates provide information-security or information-technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to, warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information-security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information-security concerns, please contact your IT or information-security advisor. © 2020 Bank of America Corporation. All rights reserved. 3274638 EXP 10-07-2021.
16The Science ofManaging Third Parties As business operations become more specialized, more third parties are plugging into company networks. It’s critical to evaluate the cyber security standards and weaknesses of any third party, especially those your company depends on most.
10Balancing Network Access and Security The time of simple password management and sign-on to company networks is ending. Access management is a fast-evolving but critical feature of cyber security: Learn how to create a strategy that leverages the right tools and smart principles.
4How to Protect Your Data Data is critical to performance and a competitive edge, yet many companies are struggling with the sheer volume of information — and living with an elevated risk of data theft or loss. But good governance is possible — even as a work in progress.
2 / B a n k o f A m e r i c a
We’re Dedicated to Protecting You Year-Round.
October is Cyber Security Awareness Month, and as part of
our ongoing commitment to protect you, your business and
the communities in which we operate, we are happy to share
the third issue of our Cyber Security Journal. Helping you
understand how to protect yourself and your company from
cyber threats with the most current information available
is one of our highest priorities, because your trust in us is
essential to our business.
In this issue of our Cyber Security Journal, you will learn
best practices for managing your data, access, and third
party vendors. Mitigating risk, learning these best practices
and implementing them are essential steps to ensuring
your company remains cyber secure during Cyber Security
Awareness Month and beyond.
3 / B a n k o f A m e r i c a
Craig Froelich
Cyber Secur it y Journa l • Vo l . One / Issue Three
Chief Information Security Officer, Bank of America
Businesses need automation and smart strategies to meet threats within and outside the organization.
feature one
4 / B a n k o f A m e r i c a
How to Manage Your Data
5 / B a n k o f A m e r i c a
a significant data breach within the last 12
months, a 9% increase over the year be-
fore.2 (See page 8, "Data breaches by the
numbers")
Detection and mitigation of these
ramped-up risks require a data-governance
framework that is unique to the organiza-
tion. Data governance is a discipline that
manages the quality and integrity of infor-
mation to help ensure that data is reliable
and trustworthy, while minimizing the risk
of compromise.
Without a sound governing strategy, data
management can become cumbersome,
expensive or ineffective at mitigating the
risk of data theft or loss. Finding the right
solution is a formidable problem, but busi-
nesses that don’t implement a strategy
Call it the data/security paradox. As the volume and
complexity of data increases, the ability to secure this
information decreases. The reason? Businesses are
struggling under an unprecedented load of data that is difficult
to manage — and to understand. Many businesses aren’t fully
aware of what data they have and where it’s stored. The situation
presents a basic tenet of cyber security in real time: You can’t
protect what you don’t know.
To safeguard information, businesses need to be able to see
their data across the ecosystem, which often includes external
third parties and vendors. They need to identify the most sen-
sitive information and determine where it should reside and
who needs access to it. In many cases, businesses also need to
make sure the storage and access to this data comply with in-
dustry regulations.
This knowledge is more important than ever, as remote work-
ing schedules have pushed the boundaries of the data ecosystem
beyond the central-office perimeter. Taking work out of the of-
fice makes it much harder to monitor employee access and be-
havior. One recent survey found that 88% of U.S. businesses said
coronavirus work-from-home mandates have increased the fre-
quency of cyber incidents.1
At the same time, overall security risks continue to mount. An-
other study found that 59% of global organizations experienced
Data Theft
Cyber Secur it y Journa l Vo l . One / Issue Three
Data governance is a problem of growing complexity and importance in many industries.
A successful data-governance program will require behavioral change from leadership. Buy-in must be top-down, not bottom-up.”
must live with the increasing likelihood of breaches — and the
financial and reputational impacts they can bring.
The benefits and challenges of data governance Data governance is a work in progress for most companies and
even technology experts. But the benefits of a strong framework
are becoming clear. The right mix of technologies, processes and
staff skills can strengthen cyber security, streamline operational
processes and enable business leaders to make more informed,
data-driven decisions.
As with most business priorities, good governance starts at the
top. Leadership needs to recognize the value of its data and sup-
ply sufficient resources for a strong protective structure. This ap-
proach must involve more than greenlighting a technical solution.
Decision makers need to understand the true benefit of gener-
ating, protecting and analyzing quality data. Smart data gover-
nance can deliver substantial cost savings to an organization, or
potentially increase revenue through analytics and better compe-
tition strategies.
IT leaders should be prepared to deliver a persuasive, busi-
ness-focused account of how governance can help balance secu-
rity and data needs while reducing costs and boosting operational
efficiency. If the rest of the company’s leadership doesn't see the
intrinsic value or fails to provide oversight and top-down direc-
tion, a governance strategy is difficult to implement.
Smart governance strategies also depend on data centraliza-
tion to help ensure that only the most accurate and relevant in-
formation is being used. Centralization
allows businesses to more efficiently —
and cost-effectively — process large vol-
umes of data while deriving its maximum
value. It also enables more informed, da-
ta-driven decisions based on consolidated
information.
For instance, centralized governance can
improve performance by identifying and
mitigating redundant data and processes.
Combined with redundant controls and
user monitoring, this can eliminate single
points of failure so that one mistake by an
employee doesn’t result in a data compro-
mise. If a breach does occur, governance
can improve remediation time after an in-
cident occurs.
But as with any complex initiative, strat-
egy implementation presents a number of
challenges. Since data governance is a rela-
tively new discipline, many businesses lack
the knowledge and resources to establish a
multifaceted data framework. Doing so will
require integration of multiple systems,
processes and controls across IT areas and
lines of business.
Effective data governance must also bal-
ance security and strong policies with ease
of use to help support end-user acceptance.
This is critical because, when faced with
burdensome, repetitive security processes,
employees may opt to bypass governance
rules and set up their own shared drives or
cloud applications. This behavior may not
be intentionally criminal — most people
6 / B a n k o f A m e r i c a
Businesses must identify sensitive information, determine where it resides and who needs access to it and establish relevant regulatory obligations.”
Data governance often depends on integrating many disparate systems.
Continued on page 8
Data Theft
Cyber Secur it y Journa l Vo l . One / Issue Three
7 / B a n k o f A m e r i c a
Data Theft
Source: Ponemon Institute, Cost of Data Breach Report 2020, July 2020
80%
32%
24%
23%
21%
Customer PII
Intellectual property
Anonymized customer data
Other corporate data
Employee PII
Types of records compromised:
Biggest impacts of incidents and breaches:
Source: Deloitte, The Future of Cyber Survey 2019, March 2019
21%
21%
17%
16%
14%
12%
Loss of revenue due to cyber incidents or breaches
Loss of customer trust
Change in leadership
Reputational loss
Regulatory fines
Drop in share price
Source: EY, Global Information Security Survey 2020, February 2020
Threat actors responsibe for incidents:
23%
21%
20%
12%
12%
Outsiders: hacktivists
Insiders: employee weakness
Unknown actors
Insiders: malicious actors
Outsiders: organized
As data becomes more valuable to the enterprise, opportunities for cyber criminals multiply. Research shows that customer data is most at risk, but corporate-data and intellectual-property theft are growing concerns.
A snapshot of the threat landscape
Cyber Secur it y Journa l Vo l . One / Issue Three
Z
are just trying to get their jobs done,
after all — but it can result in unnec-
essarily risky compromises.
One often-overlooked risk is the
security profile and capacity of
third-party partners that have ac-
cess to their clients’ data, networks
or applications. Companies will
need to determine whether exter-
nal partners have established secu-
rity and privacy protections robust
enough to protect and verify their
data. And it’s important to remem-
ber that company data is the compa-
ny’s responsibility, no matter where
that information resides. This ac-
countability cannot be offloaded
to third-party partners or cloud
providers.
Automated tools provide valuable assists More than ever, effective data gov-
ernance relies on technologies to
8 / B a n k o f A m e r i c a
Data breaches by the numbers:
59%of organizations
experienced a significant or material breach in
2019, a 9% increase over the year before.1
91% of global businesses report an increase in overall cyber
security compromises as a result of employees
working from home.2
$8.6 millionAverage total cost of a data
breach in the U.S. (the highest of any country).3
$2.45 millionAverage 2020 cost of
a data breach for companies with
fully deployed security automation.4
$6 millionAverage 2020 cost of a
data breach for companies that had not deployed security automation.5
Vendors and third parties can complement — or compromise — a sound data-governance strategy.
automate processes and gain a deeper un-
derstanding of data. These tools include data
classification, data-loss prevention (DLP) and
machine learning.
A foundational component of governance
is data classification, which organizes infor-
mation into categories — such as “sensitive,”
“regulated” and “intellectual property” — to
help businesses more efficiently process and
protect information. Data classification can
also help speed up the detection and mitiga-
tion of breaches, which can deliver cost sav-
ings. Another critical consideration is data
verification, which assesses data for accuracy.
When it comes to managing internal threats,
DLP can be especially valuable. This is an ap-
proach to protecting data that uses policies,
processes and technology controls to protect
data in its various states (in use, in motion
and at rest). DLP allows businesses to monitor
user behavior to detect internal risks as well as
unintentional data loss by insiders who trans-
mit sensitive information to external networks
and recipients.
Continued from page 6
1 EY, Global Information Security Survey 2020, February 2020.
2 VMWare and Carbon Black, Global Threat Report: Extended enterprise under threat, June 2020.
3 Ponemon Institute, Cost of a Data Breach Report 2020, July 2020.
4,5 Ibid.
Data Theft
Cyber Secur it y Journa l Vo l . One / Issue Three
9 / B a n k o f A m e r i c a
Governance strategies still rely on peopleMore than ever, employee security awareness and training on
current threats and their potential impacts remain the most ef-
fective, inexpensive way to curb data loss. It’s particularly import-
ant to communicate the potential real-world impact of breaches
on business performance and data security. Doing so will drive
home the consequences of disregarding new security processes
and help ensure the success of a data-protection program.
Also critical is effective communication about data-protection
programs. Businesses must clearly convey to employees why data
governance is a fundamental — and increasingly urgent — busi-
ness requirement, and how it syncs with regulatory obligations.
Developing a data-governance strategy can seem overwhelm-
ing to those with limited experience classifying and aligning data
with cyber security programs. But businesses can realize gains by
taking small steps to design a program, classify and verify data
and configure a robust DLP solution. Doing so will help safeguard
the business, as well as its data and employees.
DLP has become even more critical as
many employees continue to work from
home. Based on predefined rules, DLP tools
can scan emails to identify restricted infor-
mation like credit-card or Social Security
numbers. If such information is detected,
DLP tools can bar transmission of this data
outside the corporate network.
Another technology trend among for-
ward-thinking businesses is the use of ma-
chine learning (ML) to manage data. ML
enables companies to establish data-clas-
sification rules and use automated pro-
cesses to identify and classify information
across the enterprise. This type of process
automation can allow businesses to more
quickly and cost-effectively identify and
contain breaches. In fact, process automa-
tion helped trim the time it takes to iden-
tify and contain breaches from an average
of 280 days to 206 days — with an aver-
age savings of $3.58 million, according to a
2020 study by the Ponemon Institute.3
New machine-learning tooling has become a game changer in the identification element of data control. With machine learning, a business can define the rules and the technology will classify the data.”
Automated processes can reduce the risk of data loss or theft.
Data Theft Key takeaways:• Understanding the variety of data
a company possesses, and where it’s stored, is the fundamental first step of loss and theft prevention.
• Protecting data requires a careful consideration of potential insider threats as well as strong defenses against cyber crime.
• Strong governance and automated processes can help contain the damage from breaches, but training and active monitoring are also essential practices in data governance.
Data Theft
1 VMWare, Global Threat Report: Extended Enterprise Under Threat, June 2020.2 EY, Global Information Security Survey 2020, February 2020.3 Ponemon Institute, Cost of a Data Breach Report 2020, July 2020.
Cyber Secur it y Journa l Vo l . One / Issue Three
Networks are expanding and accessible to more users every day. How can companies maintain the access-security balance?
Balancing Network Access and Security
feature two
10 / B a n k o f A m e r i c a
11 / B a n k o f A m e r i c a
outside the enterprise perimeter, businesses
lose controls that internal IT processes would
traditionally apply. Without sufficient con-
trols, cyber threats can quickly increase.
On top of that, the number of access
points to a company’s networks is multiply-
ing every day — whether it’s users, devices
or APIs. The growth is accelerated by the pro-
liferation of connected devices, the steady
move to cloud computing and the dramatic
increase in remote and mobile access during
the coronavirus pandemic.
Inadequate or complicated access to busi-
ness systems is more than a headache. It
can damage a company’s bottom line if us-
ers can’t fulfill their business responsibilities
in a timely and efficient manner. Too much
unregulated access, however, can present a
serious cyber security hazard. When workers
Gone are the days in which usernames and passwords
were enough to verify identity and control access to key
systems and data.
The security boundaries of today’s organizations are complex and
evolving. Controlling access to them is no longer a yes-or-no propo-
sition. Instead, companies must continuously monitor the behaviors
and patterns of access within their networks and become smarter
about how they set up access privileges in the first place.
In today’s globally connected, digitally driven economy, the “threat
surfaces” of systems, tools and databases of most organizations
are expanding. This means the number of information systems that
require administration of user access is also increasing rapidly. To
keep pace with the change, many companies are embracing an en-
terprise-resource-planning (ERP) model that abandons traditional,
monolithic software suites in favor of a modular approach using di-
verse, cloud-based vendors.
This so-called postmodern ERP leads to users' accessing data
through multiple channels — and also opens up more avenues for
fraudulent access. In addition, by shifting workloads to the cloud and
Access Management
Access management now depends on continuous monitoring, rather than simply granting or denying user privileges.
Cyber Secur it y Journa l Vo l . One / Issue Three
6 / B a n k o f A m e r i c a
grams or processes with the minimum privileges necessary to perform
a function.
This approach grants access based on user identity, the role of the
user within the organization and what information or tools they need to
do their job. Risk is then evaluated end to end, from the point at which
the user is authenticated and through to access administration.
In addition, companies can enforce segregation of duties (SoD), a pro-
cess in which responsibilities for key processes are divided between
more than one person. This can keep users from assuming excessive
privileges that might allow them to circumvent normal controls — and
exploit them to enrich themselves or make unchecked mistakes.
If a user needs elevated privileges (i.e., a higher level of access such
as that of an administrator), those privileges need to be carefully mon-
itored, and possibly time-bound, so users don’t have the elevated privi-
leges perpetually.
Most importantly, companies should always think in terms of resil-
iency. While it’s impossible to prevent every risk, being in a position to
recognize when a problem occurs and recovering quickly can dramati-
cally reduce damage.
Access management as a four-pillared business practiceStrategic access control is critical to preventing cyber security breaches,
but it should enhance overall productivity and flexibility, not hinder them.
In the best circumstance, access management will combine sound poli-
Access Management
Interconnected networks complicate issues of access, privilege and risk.
Access-management glossary
Elevated privilege — A higher level of access to systems and resources, such as that of an administrator.
Excessive privilege — More access privileges than the user needs to perform their duties.
Least privilege — The principle of giving users, programs or processes the minimum privileges necessary to perform a function.
Risk-appropriate access — Access based on the evaluation of end-to-end risk, considering user identity, roles the user performs in the organization and what they need to perform their duties.
Segregation of duties (SoD) — The division of responsibilities for key processes between more than one person in order to prevent fraud and error.
have more privileges than they need, there is in-
creased risk from external threat actors attempting
to compromise accounts. Un- or under-regulated
access also increases the risk of insider threats,
which might include intentional fraud, theft or inad-
vertent mistakes, such as wiping out or corrupting
large quantities of data.
A competitive balance between access and se-
curity is still possible. But decision makers must
recognize how the access-management equation
continues to change.
Understanding risk-appropriate accessHow can companies stay safe while not overbur-
dening employees with overly complex protections?
The answer may be through a concept known as
the principle of least privilege: provide users, pro-
Cyber Secur it y Journa l Vo l . One / Issue Three
12 / B a n k o f A m e r i c a
13 / B a n k o f A m e r i c a
Access Management
of evidence (e.g., something the user knows
and something the user has) is just the first
step. Public-key infrastructure (PKI) helps en-
crypt communications with the use of digital
signatures and certificates. Enterprise mo-
bility management (EMM) protects company
data on mobile devices, which is especially
critical as more employees demand bring-
your-own-device (BYOD) policies. PKI and
EMM are becoming increasingly common
cies, controls and systems and address a variety of business issues
that are impacted by identity and access.
By examining their needs and current maturity within a frame-
work of four pillars — trust, enforcement, administration and in-
sights — businesses can begin to develop an access management
strategy that will match their specific requirements.
Trust deals with the primary challenge of access management:
How can a company confirm that a person is who they say they are
and that any system they’re using is what it’s advertised to be? Us-
ing multi-factor authentication to verify identity with several pieces
Four pillars of access management
T R U S T1
Companies can protect the ever-expanding surface of their networks through a four-point strategy that may deploy a wide variety of tools and processes:
• Multi-factor authentication (MFA)
• Public-key Infrastructure (PKI)
• Directory services
• Enterprise mobility management
(EMM)
E N F O R C E M E N T 2
A D M I N I S T R A T I O N3
I N S I G H T S4
• Web-access management
• Cloud-access management
• Privileged-access management
• Externalized authorization
• Desktop single sign-on
• Identity governance and
administration
• Password management
• User- and entity-behavior analytics
• Data-access governance
• Segregation-of-duties
controls monitoring
Cyber Secur it y Journa l Vo l . One / Issue Three
14 / B a n k o f A m e r i c a
Access Management
plying principles such as least privilege and implementing privileged-access
management tools to control elevated access can help enforce threat-mitiga-
tion policies. And processes such as single sign-on (SSO) also support enforce-
ment operations by improving identity protection while delivering a streamlined
user experience that enhances security compliance.
Administration tools leverage automation to streamline permissions and
password management. With multiple legacy systems providing their own user
accounts and permissions, companies need methods to seamlessly administer
them all. This may include identity governance and administration tools to pro-
vide policy-based rules for user-identity management and access control, as
well as tools for automated storage, management and protection of passwords.
Finally, regular review of established access-management processes can
generate valuable insights into an organization’s operations and efficiencies.
Businesses ready for a more mature access-management strategy can lever-
age a variety of tools that examine user behavior for patterns and characterize
critical data sets.
User- and entity-behavior analytics (UEBA), for example, use machine learn-
ing to identify anomalous patterns that could be a sign of a cyber breach. Per-
haps even more importantly, data-access governance can help companies gain
visibility into sensitive unstructured data and enforce policies to control ac-
Analysis of access patterns and data flows can detect anomalous behavior and help the organization locate its most sensitive and valuable data.”
Access management strategies can streamline connections between legacy systems.
The changing landscape of network access:
54%Percentage of organizations that required remote work in
response to COVID-19.
76% Percentage of organizations
reporting that remote work would increase time to identify and
contain a data breach.
70%Percentage of organizations reporting that remote work would increase the
cost of a data breach.1
1 All statistics from IBM Security, “The Cost of a Data Breach 2020.”
parts of a protective infrastructure along with
software tools such as directory services, which
can help create a map of user access behavior
throughout network resources.
Enforcement tools can help an organization
ensure that its access-control policies are in
place throughout a varied network ecosystem.
These may include access management for web
servers, cloud platforms and applications. Ap-
Cyber Secur it y Journa l Vo l . One / Issue Three
Z
cess to that data. Continuously analyzing access patterns and criti-
cal data, as well as monitoring SoD risks, can provide organizations
clearer visibility into where its sensitive data resides and who has
access to it.
Practicing access management is an art, not a scienceUltimately, companies can benefit from a balanced approach that
assesses the strength of the four pillars and allocates investment
across them according to need. For instance, functional trust and
enforcement capabilities depend on a viable administrative capa-
bility. But a company shouldn’t focus only on getting administration
capabilities completely up to snuff before it invests in trust and en-
forcement. Each pillar must be robust for comprehensive and reli-
ably safe access management.
The goal is to gain deeper insight into data and transactions while
keeping access-management protocols strong. By mapping data to
transactions, for example, capabilities like data-access governance,
monitoring and entity-behavior analytics can produce a clearer picture
— and therefore better control over — who has access to what.
15 / B a n k o f A m e r i c a
Access Management
Smart access-management strategies should support intuitive approaches to work.
Access Management
Key takeaways:• Continuously monitoring behaviors
and patterns of access within networks can help ensure that every user, device and API has the appropriate level of access to the right resources.
• The principle of least privilege, which provides users, programs or processes with the minimum privileges necessary to perform a function can often be foundational to company access- management strategies.
• Examining business needs and maturity against the framework of Trust, Enforcement, Administration and Insights can help develop a balanced access-management strategy.
Cyber Secur it y Journa l Vo l . One / Issue Three
Many companies depend on vendors for support with client and employee business needs. How can they determine these partnerships are cyber-secure?
The Science of Managing Third Parties
feature three
16 / B a n k o f A m e r i c a
17 / B a n k o f A m e r i c a
The fundamentals are not a third party’s jobAs data becomes more specialized and valu-
able, and regulations change how compa-
nies operate, any outside vendor will need
to know something about how their poten-
tial customer prioritizes data and intends to
use it. But that analysis can’t begin with the
As business services and operations auto-
mate and go online — into the cloud and
onto mobile devices — many companies
recognize that their prosperity depends on sophisti-
cated digital workflows and capabilities. This means
they also rely on an ever-expanding pool of experts
who can maintain and monitor every facet of their
business and customer interactions.
Most companies can’t hire all the in-house spe-
cialists they need to be competitive. This means
outside vendors are playing an expanding role in
their organizations, including information-tech-
nology (IT) functions. Even as digital functionality
and automation improve services such as bene-
fits, payroll or cloud services, there is a pressing
need for rigorous human oversight and special-
ized operations maintenance.
There are many types of vendors and software
platforms that can handle tasks that a company
chooses to outsource. However, given their con-
nections to critical industries, it is hardly sur-
prising that these same service providers have
become targets for cyber criminals and potential
jumping-off points for attempts to breach the
networks of companies they serve.
Fortunately, there are ways for companies to
evaluate any potential or existing relationships
with third-party vendors. The better companies understand their own
cyber security risks and workflows, the better equipped they are to eval-
uate the complex services market and establish partnerships that main-
tain stability and enhance growth opportunities in a secure manner.
But companies also need to understand how vendors function and
respond to emerging threats to their customers — as well as to them-
selves. Whether these vendors are managing social media, communi-
cations, cloud functionality, payroll, accounting services, cyber security
or any other essential function, they will need access to some or all of
their clients’ most important systems and data.
Standards for these outsourcing arrangements must be kept high.
Security breaches, service interruptions, regulatory violations, insider
threats and reputational damage can be the result if a company has en-
gaged a vendor that is a mismatch or doesn’t maintain appropriate con-
trols or standards.
Businesses of all types are relying on third-party services to stay competitive, but many are worried about the security risks that accompany these relationships.”
Third-Party Management
Cloud and other technologies are changing how third parties operate.
Cyber Secur it y Journa l Vo l . One / Issue Three
18 / B a n k o f A m e r i c a
Third-Party Management
There is no one right way to evaluate the capabilities of a service provider or the quality of an existing service contract. Decision makers can evaluate the quality of a vendor’s operations with a variety of metrics:
How can you evaluate a vendor’s approach to cyber security?
• Party-to-party risk review. The vendor should regularly update its clients about internal risk assessments and remediation plans.
• Remediation planning. An emergency-response plan should be available and adaptable to the client’s specifications.
• Independent review. Reports conducted by outside parties, such as the American Institute of CPAs, can establish that vendors are operating at high standards of trust and service.
• Responsiveness. Vendors should be able to demonstrate a record of availability and timely alerts.
• Education. Third parties should demonstrate regular training and cyber security awareness-building for their employees.
• Automated reporting. Companies may receive real-time reports based on measurement of key vendor operations.
2
5
1
6
3
4
service provider: Company decision makers need to assess their
needs and risks carefully before they outsource. That requires a
meticulous review of people and policies, as well as technology.
Before discussions with any vendor begin, a business should
have a clear sense of how and where its data flows; what regula-
tory conditions apply; what people, policies and technologies cur-
rently protect the data; and how it can be recovered in the event
of downtime or a breach. This analysis may
seem rudimentary, but the point is that such
due diligence can’t be offloaded to a third-
party provider, no matter how impressive its
reputation or capabilities may be.
Before selecting any vendor, a com-
pany should also gauge the acceptable
Illustration by Jack Hudson
Cyber Secur it y Journa l Vo l . One / Issue Three
risk the partnership presents. For those vendors who will handle
the most sensitive or valuable data — or have frequent access
to the networks, and thus present the greatest risk — the stan-
dards for selection and management must be robust and adaptable.
Set the terms of service and security As data becomes more valuable and third-party security breaches
more common, the stakes for finding the right business partner-
ships are only increasing. How can companies determine that these
partnerships will deliver what they promise and that the vendor’s in-
ternal security controls are robust? What approach can confirm that
a vendor is maintaining its standards and evolving to meet new se-
curity requirements?
A detailed service contract that speaks to the company’s require-
ments and risks can provide a protective framework for the rela-
tionship. Before any agreement is signed, the company needs to ask
questions about risk within the vendor’s environment and make sure
that regular review and reporting will be a part of the core service.
Contracts also can implement key performance indicators (KPIs)
that align with the outsourcing company’s risk tolerance, best prac-
tices around network testing, incident-response protocols and em-
ployee access-management controls, to name just a few potential
19 / B a n k o f A m e r i c a
Service contracts should require regular risk review, monitoring and remediation plans of most third-party service providers.”
Third-party contracts can set high standards for cyber security protocols.
Third-Party Management
conditions. Since technology improvements
can be expensive or create a disruption in
company operation or income generation, it
also should be clear which party will be re-
sponsible for upgrade costs.
All contracts should reflect the organiza-
tion’s risk tolerance and security concerns.
They also can set the parameters for ongo-
ing review by requiring the vendor to main-
tain regular testing of their networks and
security training for employees. These mea-
sures can help a company understand how
the vendor approaches cyber security and
set benchmarks for responsiveness and op-
erations maintenance.
Maintain vigilance through compli-ance and ongoing review At a time when more workers than ever
are remote, utilizing cloud capabilities and
networks of connected devices, third-party
management is facing new complications.
Cyber Secur it y Journa l Vo l . One / Issue Three
20 / B a n k o f A m e r i c a
As companies change the way they work, they must be sure vendors are
responsive to emerging threats and are not introducing new vulnerabili-
ties to the existing relationship.
Independent reports on a vendor’s practices can provide an extra layer
of oversight. Such review can generate a nuanced assessment that fo-
cuses on trustworthiness and diligence, and it may be a smart addition
to large and ongoing service contracts. These reports can be expensive,
however, and it may be unrealistic to expect smaller service providers to
assume the cost just to satisfy the expectations of one client.
Some companies may ask their vendors to comply with remote audits
of their key services to ensure compliance. Others may request auto-
mated reports that are generated when certain risk metrics or thresholds
are passed. Those with more advanced capabilities may request the ven-
dor adopt certain controls to enable more real-time monitoring.
But as with any other element of digital operations, even automated
tools are of limited efficiency if
the people deploying them are
not responsive. A vendor that
complies with a company’s secu-
rity requests and submits regular
reports may still be ineffective if
it does not make cyber security
Independent review may be essential in the most critical third-party relationships.
Third-Party Management
A growing market — and growing risk
1 Statista, Technology Market Outlook, Business Process Outsourcing, 2020.
2 Ibid.3 Deloitte, “Third-party risk management (TPRM) global survey, 2020.”
4 Ibid.5 Deloitte, “The Future of Cyber Survey,” 2019.
$270 billionEstimated worldwide revenue of
business-process outsourcing, 2020.1
$382 billionEstimated worldwide revenue of
business-process outsourcing, 2025.2
84%Percentage of surveyed companies that experienced a third-party risk incident in the last three years.3
17%Percentage of surveyed companies
that experienced a high-impact risk incident through a third party
in the last three years.4
46%Percentage of surveyed companies
that outsource more than 50% of their digital operations to third parties.5
Businesses are more reliant on outsourced services than
ever before. But the risk associated with the convenience
is also on the rise:
Prioritizing company data, and understanding where it lives, is essential to managing third-party risk.”
Cyber Secur it y Journa l Vo l . One / Issue Three
an organizationwide priority.
In an emergency, the most reliable quality indicators may be
whether or not the vendor immediately picks up a distress call and
rolls out a comprehensive, effective response. But companies can
gauge that responsiveness by asking the vendor in advance about
its backup and remedial procedures in the event of a systems failure
or security breach.
Strong client-facing skills still matter Ultimately, decision makers can narrow their search for the right
third-party service provider by looking first for subtle, people-ori-
entated skills. Any vendor that touches a company’s networks and
most valuable data will need to demonstrate trustworthiness, a will-
ingness to understand a client’s unique needs and accountability in
terms of contracts and reputation.
Companies that take cyber security seriously and implement
strong, adaptive protocols can leverage their smart approach in
third-party contracts. The higher your own security and opera-
tional standards are, the more you can expect out of any vendor
relationship.
21 / B a n k o f A m e r i c a
Companies that prioritize cyber security should seek vendors that strive for similarly high standards of protection and awareness.
Third-Party Management
Third-Party Management
Key takeaways:• Risk review of a contract with any
service provider can be easier and more effective if internal risk assessments are thorough and based on strong protocols.
• In a rapidly changing landscape, third-party management increasingly relies on monitoring and regular reporting.
• Responsiveness and planning can be just as critical as technological expertise when companies outsource some or all of their operations to third parties.
A third party’s protections and protocols will only be as strong as the people who maintain its operations and client services.”
Cyber Secur it y Journa l Vo l . One / Issue Three